memory cruption problem
flxue2010
Sat Jul 19 02:04:54 2014
Hi,
i just locally compile and test with version 6.4.0 source code,
and found that after configurated with source code provided getline() function without "EMBEDDED_CONFIG" defined and run dhcpcd cmd with -f option,
there it always encounter memory cruption problem for lfree called by read_config() in file if-options.c
after check the code, i found the problem is caused by getline() implemented in the file compat/getline.c
and i check the latest 6.4.2 version code, the problem should still exists.
so could you help confirm if the case should be fixed or it is just my fault to mistake some part.
thanks.
error logic details:
if-options.c
struct if_options *
read_config(struct dhcpcd_ctx *ctx,
const char *ifname, const char *ssid, const char *profile)
{
...
#ifdef EMBEDDED_CONFIG
fp = fopen(EMBEDDED_CONFIG, "r");
if (fp == NULL)
syslog(LOG_ERR, "fopen `%s': %m", EMBEDDED_CONFIG);
while (fp && (line = get_line(&buf, &buflen, fp))) {
#else ----------<-------without define EMBEDDED_CONFIG
buflen = 80;
buf = malloc(buflen);//----------<-------malloc 80 bytes memory by default
...
fp = fopen(ctx->cffile, "r");
...
ldop = edop = NULL;
while ((line = get_line(&buf, &buflen, fp))) {)//----------<-------call getline()
...
}
fclose(fp);
free(buf);//----------<-------free buf and crash!!!
static char *
get_line(char ** __restrict buf, size_t * __restrict buflen,
FILE * __restrict fp)
{
...
do {
bytes = getline(buf, buflen, fp);
getline.c
#undef BUFSIZ
#define BUFSIZ 128
ssize_t
getline(char ** __restrict buf, size_t * __restrict buflen,
FILE * __restrict fp)
{
...
bytes = 0;
do {
if (feof(fp))
break;
if (*buf == NULL || bytes != 0) {//----------<-------as *buf will never be NULL for current case and bytes==0 for the first time, at the first loop there the code never be exceuted
newlen = *buflen + BUFSIZ;
newbuf = realloc(*buf, newlen);
if (newbuf == NULL)
return -1;
*buf = newbuf;
*buflen = newlen;
}
p = *buf + bytes;
memset(p, 0, BUFSIZ); //----------<------- and for above reason, at the first loop if *buf with an buflen less than BUFSIZ, memory cruption will come out if not so lucky
issue-fix change:
ssize_t
getline(char ** __restrict buf, size_t * __restrict buflen,
FILE * __restrict fp)
{
size_t bytes, newlen;
char *newbuf, *p;
if (buf == NULL || buflen == NULL) {
errno = EINVAL;
return -1;
}
if (*buf == NULL)
*buflen = 0;
//++ add new code here *20140707
if (*buflen < 0) {
errno = EINVAL;
return -1;
}
//-- add new code here //
bytes = 0;
//++ add new code here *20140707
if(*buf == NULL || *buflen <= BUFSIZ) {
newlen = BUFSIZ;
newbuf = realloc(*buf, newlen);
if (newbuf == NULL)
return -1;
*buf = newbuf;
*buflen = newlen;
}
//-- add new code here //
do {
if (feof(fp))
break;
/*++ remove original code *20140707
if (*buf == NULL || bytes != 0) {
//++ add new code here */
if (bytes != 0 && bytes > *buflen) {
//-- add new code here //
newlen = *buflen + BUFSIZ;
newbuf = realloc(*buf, newlen);
if (newbuf == NULL)
return -1;
*buf = newbuf;
*buflen = newlen;
}
crash details:
pid: 12828, tid: 12828, name: dhcpd >>> dhcpd <<<
thread: dhcpd
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr deadbaad
Abort message: 'invalid address or address of corrupt block 0xb788b688 passed to dlfree'
r0 deadbaad r1 b6f3feba r2 befb5584 r3 b6f44f09
r4 b788b688 r5 b788b6e0 r6 00000058 r7 b6f4f188
r8 b788b690 r9 b6f61fb4 sl 00000000 fp 00000000
ip 00000001 sp befb5590 lr b6f10185 pc b6f10186 cpsr 60010030
d0 2064696c61766e69 d1 2073736572646461
d2 657264646120726f d3 6f6320666f207373
d4 0000000000040000 d5 00000000b788e068
d6 0000000000000000 d7 00000003b788e148
d8 0000000000000000 d9 0000000000000000
d10 0000000000000000 d11 0000000000000000
d12 0000000000000000 d13 0000000000000000
d14 0000000000000000 d15 0000000000000000
d16 6361667265746e69 d17 0a306e616c772065
d18 0000000000000000 d19 0000000000000000
d20 0000004e00000000 d21 0000000000020000
d22 00000000b788e638 d23 00000006b788e738
d24 0000000000000000 d25 0000000000000000
d26 0000000000000000 d27 0000000000000000
d28 0000000000000000 d29 0000000000000000
d30 0000000000000000 d31 0000000000000000
scr 00000010
backtrace:
#00 pc 00012186 /system/lib/libc.so (dlfree+1409)
#01 pc 0000dd9b /system/lib/libc.so (free+10)
#02 pc 00009165 /system/bin/dhcpd//---------------<---------just the line that call free(buf);
#03 pc 00004c6b /system/bin/dhcpd
#04 pc 0000e4db /system/lib/libc.so (__libc_init+50)
#05 pc 00002aa0 /system/bin/dhcpd
stack:
befb5550 00000000
befb5554 b6f0bd89 /system/lib/libc.so (malloc+12)
befb5558 b6f2530b /system/lib/libc.so (__sseek)
befb555c 1b49fe85
befb5560 b788b688 [heap]
befb5564 b788b6e0 [heap]
befb5568 00000058
befb556c b6f11579 /system/lib/libc.so
befb5570 b6f3feba /system/lib/libc.so
befb5574 befb5584 [stack]
befb5578 b6f44f09 /system/lib/libc.so
befb557c b6f10185 /system/lib/libc.so (dlfree+1408)
befb5580 b6f3feba /system/lib/libc.so
befb5584 b788b688 [heap]
befb5588 b6f44f09 /system/lib/libc.so
befb558c 00000000
#00 befb5590 00000001
befb5594 befb56c0 [stack]
befb5598 b788b690 [heap]
befb559c 00000000
befb55a0 b6f61fb4
befb55a4 b7884020 [heap]
befb55a8 00000001
befb55ac befb56c0 [stack]
befb55b0 b788b690 [heap]
befb55b4 00000000
befb55b8 b6f61fb4
befb55bc b6f0bd9d /system/lib/libc.so (free+12)
#01 befb55c0 befb55c0 [stack]
befb55c4 b6f92169 /system/bin/dhcpd
#02 befb55c8 00000000
befb55cc b788b690 [heap]
befb55d0 b788b69a [heap]
befb55d4 00000000
befb55d8 00000000
befb55dc 00000000
befb55e0 00000003
befb55e4 00000000
befb55e8 00000000
befb55ec 00000000
befb55f0 0000005b
befb55f4 00000001
befb55f8 b6f806b8 /system/bin/linker
befb55fc b6faaf89 /system/bin/dhcpd
befb5600 00000000
befb5604 b6fa627c /system/bin/dhcpd
........ ........
#03 befb5650 befb5674 [stack]
befb5654 00000004
befb5658 b6f7ae31 /system/bin/linker
befb565c b6f7b996 /system/bin/linker
befb5660 b6f675b8
befb5664 b6fa501a /system/bin/dhcpd
befb5668 b6f4f38c
befb566c b6fa5140 /system/bin/dhcpd
befb5670 b6f806b8 /system/bin/linker
befb5674 00000004
befb5678 b6f7ba09 /system/bin/linker
befb567c b6f801d0 /system/bin/linker
befb5680 b6f806b0 /system/bin/linker
befb5684 b6f6ddc1 /system/bin/linker
befb5688 00000000
befb568c b6f80d0c /system/bin/linker
........ ........
#04 befb57f0 00000000
befb57f4 00000000
befb57f8 00000000
befb57fc 00000000
befb5800 00000000
befb5804 b6f8baa4 /system/bin/dhcpd
#05 befb5808 b6fadca8 /system/bin/dhcpd
befb580c b6fadcb0 /system/bin/dhcpd
befb5810 b6fadcb8 /system/bin/dhcpd
befb5814 befb5820 [stack]
befb5818 00000000
befb581c b6f6cae1 /system/bin/linker
befb5820 00000003
befb5824 befb5952 [stack]
befb5828 befb5958 [stack]
befb582c befb5981 [stack]
befb5830 00000000
befb5834 befb5987 [stack]
befb5838 befb599b [stack]
befb583c befb59e4 [stack]
befb5840 befb59fd [stack]
befb5844 befb5a1c [stack]
memory near r1:
b6f3fe98 6469646e 5f657461 4d005252 2070253d
b6f3fea8 70253d58 3d505220 52207025 253d5050
b6f3feb8 6e690070 696c6176 64612064 73657264
b6f3fec8 726f2073 64646120 73736572 20666f20
b6f3fed8 72726f63 20747075 636f6c62 7025206b
b6f3fee8 73617020 20646573 25206f74 616d0073
b6f3fef8 79732078 6d657473 74796220 3d207365
b6f3ff08 30312520 000a756c 74737973 62206d65
b6f3ff18 73657479 20202020 25203d20 756c3031
b6f3ff28 6e69000a 65737520 74796220 20207365
b6f3ff38 3d202020 30312520 000a756c 63617473
b6f3ff48 6f63206b 70757272 6e6f6974 74656420
b6f3ff58 65746365 73250064 3a64253a 73736120
b6f3ff68 69747265 22206e6f 20227325 6c696166
b6f3ff78 25006465 64253a73 7325203a 7361203a
b6f3ff88 74726573 206e6f69 22732522 69616620
memory near r2:
befb5564 b788b6e0 00000058 b6f11579 b6f3feba
befb5574 befb5584 b6f44f09 b6f10185 b6f3feba
befb5584 b788b688 b6f44f09 00000000 00000001
befb5594 befb56c0 b788b690 00000000 b6f61fb4
befb55a4 b7884020 00000001 befb56c0 b788b690
befb55b4 00000000 b6f61fb4 b6f0bd9d befb55c0
befb55c4 b6f92169 00000000 b788b690 b788b69a
befb55d4 00000000 00000000 00000000 00000003
befb55e4 00000000 00000000 00000000 0000005b
befb55f4 00000001 b6f806b8 b6faaf89 00000000
befb5604 b6fa627c b6fa62c9 b6faaf89 b6f4b060
befb5614 b788b69a b788b690 00000050 00000000
befb5624 00000000 00000003 00000000 befb5824
befb5634 00000000 00000003 00000000 00000000
befb5644 b6fade14 b6f4b058 b6f8dc6f befb5674
befb5654 00000004 b6f7ae31 b6f7b996 b6f675b8
memory near r3:
b6f44ee8 755f6573 6573756e 65735f64 6e656d67
b6f44ef8 74007374 6c6c616d 735f636f 6c6c616d
b6f44f08 666c6400 00656572 6c616d74 5f636f6c
b6f44f18 6772616c 6e6d0065 746e6574 6567202a
b6f44f28 746e6d74 28746e65 454c4946 6900292a
b6f44f38 7420746e 616e7974 725f656d 746e6928
b6f44f48 6863202c 2c2a7261 7a697320 29745f65
b6f44f58 696f7600 6e652064 65777064 2928746e
b6f44f68 61686300 67202a72 73757465 68737265
b6f44f78 286c6c65 6f760029 73206469 73757465
b6f44f88 68737265 286c6c65 68630029 202a7261
b6f44f98 6e797474 28656d61 29746e69 696f7600
b6f44fa8 6e652064 65737564 65687372 29286c6c
b6f44fb8 32313000 36353433 41393837 45444342
b6f44fc8 49484746 4d4c4b4a 51504f4e 55545352
b6f44fd8 59585756 6362615a 67666564 6b6a6968
memory near r4:
b788b668 000000dd 00040000 00000000 b788d460
b788b678 00000000 00000000 00000000 b788d4b8
b788b688 00000003 0000005b 65746e69 63616672
b788b698 6c770065 00306e61 00000000 00000000
b788b6a8 00000000 00000000 00000000 00000000
b788b6b8 00000000 00000000 00000000 00000000
b788b6c8 00000000 00000000 00000000 00000000
b788b6d8 00000000 00000000 00000000 00000000
b788b6e8 00000000 00000000 00000000 00000000
b788b6f8 00000000 00000000 00000000 00000000
b788b708 00000000 00000000 b788d660 00000001
b788b718 b788d688 00000002 00000005 000b0000
b788b728 00000000 b788d6d8 00000000 b788d730
b788b738 00000003 b788d7a0 00000001 00000006
b788b748 00000104 00000000 b788d708 00000000
b788b758 00000000 00000000 00000000 00000000
memory near r5:
b788b6c0 00000000 00000000 00000000 00000000
b788b6d0 00000000 00000000 00000000 00000000
b788b6e0 00000000 00000000 00000000 00000000
b788b6f0 00000000 00000000 00000000 00000000
b788b700 00000000 00000000 00000000 00000000
b788b710 b788d660 00000001 b788d688 00000002
b788b720 00000005 000b0000 00000000 b788d6d8
b788b730 00000000 b788d730 00000003 b788d7a0
b788b740 00000001 00000006 00000104 00000000
b788b750 b788d708 00000000 00000000 00000000
b788b760 00000000 00000000 00000007 00000002
b788b770 00000000 b788d7c8 00000000 00000000
b788b780 00000000 00000000 00000000 00000008
b788b790 00000004 00000000 b788d7d8 00000000
b788b7a0 00000000 00000000 00000000 00000000
b788b7b0 00000009 00004000 00000000 b788d7e8
memory near r7:
b6f4f168 00000000 00000000 00000000 00000000
b6f4f178 00000000 00000000 00000000 00000000
b6f4f188 00000400 00000000 00000970 00000e08
b6f4f198 b7884000 b788b6e0 b78901d0 00200000
b6f4f1a8 00000ffd 069330e8 00000000 00000000
b6f4f1b8 b6f4f1b0 b6f4f1b0 b6f4f1b8 b6f4f1b8
b6f4f1c8 b6f4f1c0 b6f4f1c0 b788cda8 b788cda8
b6f4f1d8 b788ce58 b788ce58 b788e650 b788e650
b6f4f1e8 b788d158 b788d158 b6f4f1e8 b6f4f1e8
b6f4f1f8 b6f4f1f0 b6f4f1f0 b6f4f1f8 b6f4f1f8
b6f4f208 b788e6d0 b788e6d0 b6f4f208 b6f4f208
b6f4f218 b6f4f210 b6f4f210 b6f4f218 b6f4f218
b6f4f228 b788cd50 b788cd50 b6f4f228 b6f4f228
b6f4f238 b6f4f230 b6f4f230 b6f4f238 b6f4f238
b6f4f248 b6f4f240 b6f4f240 b788e688 b788e688
b6f4f258 b6f4f250 b6f4f250 b6f4f258 b6f4f258
memory near r8:
b788b670 00000000 b788d460 00000000 00000000
b788b680 00000000 b788d4b8 00000003 0000005b
b788b690 65746e69 63616672 6c770065 00306e61
b788b6a0 00000000 00000000 00000000 00000000
b788b6b0 00000000 00000000 00000000 00000000
b788b6c0 00000000 00000000 00000000 00000000
b788b6d0 00000000 00000000 00000000 00000000
b788b6e0 00000000 00000000 00000000 00000000
b788b6f0 00000000 00000000 00000000 00000000
b788b700 00000000 00000000 00000000 00000000
b788b710 b788d660 00000001 b788d688 00000002
b788b720 00000005 000b0000 00000000 b788d6d8
b788b730 00000000 b788d730 00000003 b788d7a0
b788b740 00000001 00000006 00000104 00000000
b788b750 b788d708 00000000 00000000 00000000
b788b760 00000000 00000000 00000007 00000002
memory near r9:
b6f61f94 00000000 00000000 00000000 00000000
b6f61fa4 00000000 00000000 00000000 00000000
b6f61fb4 b788f1e0 00000034 00000000 00030484
b6f61fc4 b788f1d0 00001000 00000000 b6f61fb4
b6f61fd4 b6f2532f b6f252b1 b6f2530b b6f252d3
b6f61fe4 b6f61e50 00000000 00000000 00000000
b6f61ff4 00000000 00000000 00000000 00001000
b6f62004 000001fa 00000000 00000000 00000000
b6f62014 00000000 00000000 00000000 00000000
b6f62024 00000000 00000000 00000000 00000000
b6f62034 00000000 b6f61e60 00000000 00000000
b6f62044 00000000 00000000 00000000 00000000
b6f62054 00000000 00000000 00000000 00000000
b6f62064 00000000 00000000 00000000 00000000
b6f62074 00000000 00000000 00000000 00000000
b6f62084 00000000 00000000 b6f61e70 00000000
memory near sp:
befb5570 b6f3feba befb5584 b6f44f09 b6f10185
befb5580 b6f3feba b788b688 b6f44f09 00000000
befb5590 00000001 befb56c0 b788b690 00000000
befb55a0 b6f61fb4 b7884020 00000001 befb56c0
befb55b0 b788b690 00000000 b6f61fb4 b6f0bd9d
befb55c0 befb55c0 b6f92169 00000000 b788b690
befb55d0 b788b69a 00000000 00000000 00000000
befb55e0 00000003 00000000 00000000 00000000
befb55f0 0000005b 00000001 b6f806b8 b6faaf89
befb5600 00000000 b6fa627c b6fa62c9 b6faaf89
befb5610 b6f4b060 b788b69a b788b690 00000050
befb5620 00000000 00000000 00000003 00000000
befb5630 befb5824 00000000 00000003 00000000
befb5640 00000000 b6fade14 b6f4b058 b6f8dc6f
befb5650 befb5674 00000004 b6f7ae31 b6f7b996
befb5660 b6f675b8 b6fa501a b6f4f38c b6fa5140
code around pc:
b6f10164 44784848 1e4a6a01 b95a6202 fb20f7fd
b6f10174 4845e008 4a454621 447a4478 f9f2f001
b6f10184 6004481a 44784842 21bcf8d0 d52a0792
b6f10194 70e0f500 e8bdb005 f02d43f0 483db9f1
b6f101a4 46239300 f7fd4478 2800fa03 ad9af47f
b6f101b4 4839e63d e5b24478 429f688f ada2f43f
b6f101c4 9000e5a4 4835462b f7fd4478 2800f9f1
b6f101d4 af22f43f 4832e586 e5a04478 42ab688b
b6f101e4 ae94f43f b005e696 83f0e8bd deadbaad
b6f101f4 0003f56a 0003f55c 0003f4c4 00035219
b6f10204 0003f46e 000351e5 00030036 00030129
b6f10214 0003f40c 00035183 0003f3f0 0003f3dc
b6f10224 00030079 0003510d 00030057 000350eb
b6f10234 0003f33a 0003f31e 0003f2bc 0003f2a6
b6f10244 0003f268 00034fe1 0003f220 0002fe2a
b6f10254 0002ff1d 00034f7b 0003f1ea 0003f1d8
code around lr:
b6f10164 44784848 1e4a6a01 b95a6202 fb20f7fd
b6f10174 4845e008 4a454621 447a4478 f9f2f001
b6f10184 6004481a 44784842 21bcf8d0 d52a0792
b6f10194 70e0f500 e8bdb005 f02d43f0 483db9f1
b6f101a4 46239300 f7fd4478 2800fa03 ad9af47f
b6f101b4 4839e63d e5b24478 429f688f ada2f43f
b6f101c4 9000e5a4 4835462b f7fd4478 2800f9f1
b6f101d4 af22f43f 4832e586 e5a04478 42ab688b
b6f101e4 ae94f43f b005e696 83f0e8bd deadbaad
b6f101f4 0003f56a 0003f55c 0003f4c4 00035219
b6f10204 0003f46e 000351e5 00030036 00030129
b6f10214 0003f40c 00035183 0003f3f0 0003f3dc
b6f10224 00030079 0003510d 00030057 000350eb
b6f10234 0003f33a 0003f31e 0003f2bc 0003f2a6
b6f10244 0003f268 00034fe1 0003f220 0002fe2a
b6f10254 0002ff1d 00034f7b 0003f1ea 0003f1d8
Archive administrator: postmaster@marples.name